mailing list archives
Rockliffe Mailsite User Enumeration Flaw
From: Josh Zlatin <jzlatin () ramat cc>
Date: Wed, 4 Jan 2006 10:05:03 -0500 (EST)
Synopsis: Rockliffe's Mailsite Mail Management Server User Enumeration Flaw.
Product: Rockliffe Mailsite
Version: Confirmed on Mailsite <= 18.104.22.168
Author: Josh Zlatin-Amishav
Date: January 4, 2006
Rockliffe MailSite secure email server software and MailSite MP secure email
gateways provide email server solutions and gateway email protection for
businesses and service providers. Rockliffe has more than 3,000 customers
hosting more than 15 million mailboxes worldwide.
In working with researchers at Tenable Network Security, I have come across
a user enumeration flaw in the Mail Management Agent (MAILMA). The server
responds differently depending on whether the user account exists. This affords
an attacker a means of brute forcing passwords and an effective means to
cultivate valid email addresses for spam.
josh () maoz:~$ telnet 10.0.0.6 106
Connected to 10.0.0.6 (10.0.0.6).
Escape character is '^]'.
200 Ok, "MailSite Mail Management Server (22.214.171.124) ready"
510 "Error 2 in OpenMailbox, The system cannot find the file specified. "
200 Ok, "send password"
In addition the MailMA service does not block / throttle connection attempts,
or close a user account after a given number of unsuccessful attempts.
Vendor notified: January 3, 2006 06:12AM
Contact your sales rep about purchasing Mailsite 126.96.36.199
(note version 188.8.131.52 is also vulnerable to this issue)
None at this time.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Rockliffe Mailsite User Enumeration Flaw Josh Zlatin (Jan 04)